[UPDATED] Reveton Malware Replaces Locked Desktops with Fake AV

Reveton is a nasty and well known piece of Ransomware, typically hijacking the desktop with a locked screen and asking victims to pay up “or else”. The “or else” usually involves fictitious threats of law enforcement related justice being brought down upon their heads unless they pay up $200 via the scammer’s chosen payment method.

Today we saw a Reveton hijack which ditches the locked desktop in favour of something a little more old school – horror of horrors, a piece of Fake AV called Live Security Professional.

Click to Enlarge

This one begins with the Sweet Orange Exploit Kit. Here’s some example URLs, the URLs themselves are typically Java Class exploits:

din(dot)sanjosestategrad(dot)com/project/board(dot)php?connect=17

Reveton has certain characteristics, and this attack does indeed make use of them. As far as this particular example goes, we have the following information:

* The downloader is encrypted, and when downloaded creates a randomly named .dll which then runs the rogue. As a result, the URLs will not always be the same, and you can only obtain the binary when it is downloaded or extracted.

* It stores itself in familiar locations with a .dat extension, uses the well worn .lnk file to launch on boot.

Click to Enlarge

In other words, it behaves like Reveton except that it doesn’t lock the screen and uses a rogue instead which is an interesting shift in tactics, given that Ransomware is currently pulling out all the stops to hijack end-users and force them to pay up. We’ll update this post with more information as we get it.

Christopher Boyd (Thanks to Matthew for finding this and Patrick for additional information)

Christopher Boyd is a Senior Threat Researcher for ThreatTrack Security, former Director of Research for FaceTime Security Labs and a multiple recipient of the Microsoft MVP award for Consumer Security. He has given talks across the globe including RSA, InfoSec Europe and SecTor, and has been thanked by Google for his contributions to responsible disclosure.